Re: [FW1] Intrusion Detection - Automated Response

[Lance Spitzner <lance@FW1-NOSPAMspitzner.net>]

On Fri, 12 Jan 2001, Jon Vandiveer wrote:


> Yup, but I don't like getting paged @ 3am when the script kiddies are
> online. I would rather lock them down and worry about it on the morning.

Jon, let me introduce you to a little utility, nmap.  Below is an example
of how that little script kiddie would crush your network if you had your 
IDS block systems that scanned your network.

nmap -D a.root-servers.net,b.root-servers.net,c.root-servers.net,d.root-servers.net,e.root-servers.net,f.root-server.net,f.root-servers.net,h.root-servers.net,i.root-servers.net,j.root-servers.net,k.root-servers.net -sS <your network>

> > Personally, I'd be extreemely hesitant about implimenting any kind of
> > automated response system.  NIDS are well known for getting boatloads of
> > false positives.  And of course there's always the worry that once someone
> > realizes you're using an auto-response system, how long before it takes
> > them to figure out how to use it against you?  (ie. forging packets from
> > other IP's to create a DoS attack)

lance



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================